Two weeks ago, an article was published accusing an IT worker at North Carolina State University of gathering personal information about political activists and LGBTQIA+ folks and distributing that information so that they could be targeted for harassment and violence. This worker had previously worked for the university’s libraries, so naturally the news was all over library Twitter. He also is allegedly a member of a far-right extremist organization, though he denies this and all other charges. The evidence against him is in my opinion pretty damning, but that’s not really relevant to my point today.
When I first heard about this incident, the Twitter rumor was that the accused was currently working in the university and was passing along information from the library’s databases. While this doesn’t appear to be exactly the case, at the time it gave me that sense of relief you get when it turns out you were right about something all along. I work for a library consortium that does a lot of technical support, so I have full access to the personal details for a truly alarming number of people. I’m a responsible and sober person who values privacy, so I don’t go poking around outside of necessary job duties, but when my employer handed me the metaphorical keys to the system I was surprised that there wasn’t an accompanying privacy talk. It’s explicitly assumed that we’re all librarians here, and librarians don’t reveal patron data to anyone.
That’s the ideal, of course, but people make bad decisions every day, even librarians and library staff. I hadn’t imagined a white supremacist scenario, but I worried about student workers with unhappy love lives and petty revenge schemes, or underemployed circ staff trapped in an MLM with rapidly eroding scruples. I was able to think of a dozen situations where information access could be abused, but no one was talking about it in either my classes or my jobs. What can the average grad student do to be more proactive about patron privacy?
Read specialist blogs.
Let someone else do all the hard thinking for you! Searching for “library data security” produces plenty of results. LDH Consulting Services, which specializes in library privacy, has recently written about internal threats. You can find their blog by clicking here.
Familiarize yourself with your Integrated Library System’s privacy features.
I won’t lie, this one will probably be a headache. Library vendors are not known for the clarity of their writing. If slogging through the documentation prevents you from exposing patron data to the world, however, it will be worth it. Keep at it and you could learn how to prevent internal data issues, too. If your library uses Ex Libris’ Alma, you may have access to a sandbox where you can play around without breaking anything. Ask your systems librarian, or whoever got saddled with dealing with the ILS.
Take a course or two on cybersecurity.
If you’re currently attached to a university, your school’s IT department probably issues webinars about data security on a regular basis. My undergrad institution offers free courses towards a cybersecurity certification for alumni; maybe yours does, too. Your public library or local senior center may offer classes. There are books and internet videos. You have options, is what I’m saying, and all of them look great on a resume.
Being proactive about data security now can save you a lot of trouble down the road. Start small but start today.
Emily is a second year MS/LIS student at the University of Illinois, Urbana-Champaign. She has plans to become a cybersecurity expert, French chef, and fluent Urdu speaker during winter break, but will most likely spend all of her time napping and reading novels about libraries.